Open dougbeattie opened 6 years ago
Good idea for a SERVFAIL test. I have added servfail.caatestsuite-dnssec.com
and also refused.caatestsuite-dnssec.com
to test a REFUSED reply. My interpretation of the BRs is that if the SERVFAIL or REFUSED comes from outside the CA's infrastructure, the CA retries once, and there is no DNSSEC delegation, then the CA is allowed to issue anyways. Therefore, these tests have a DNSSEC delegation.
For testing timeouts, you can use blackhole.caatestsuite-dnssec.com
, which doesn't respond to DNS queries. It has a DNSSEC delegation, so issuance is never allowed.
As for the other suggestions, I'm focusing only on tests that block issuance. Since CAs can be more restrictive than required, it's not possible to craft allowed-to-issue tests that are universally useful. So CAs will need to augment these tests with ones that are appropriate to their own policies.
This is a good list of test, but I was wondering if there are other cases that CAs might want to test for. For example:
Thanks for all of the other tests, this will help validate our CAA logic!